Todd McKinnon explains how his startup, Okta, provides customers with centralized access control for thousands of cloud applications -- and now on-premise apps as well

Cloud and mobile have vastly expanded the surface area of computing. In doing so, they have expanded risk. The main worry isn't that malicious hackers will break into a cloud service or a mobile device, it's that the wrong person may access sensitive data -- such as a recently fired employee whose logon to the company's cloud-based CRM app (oops!) still works.

One effective way to reduce that elevated risk is through identity management -- or, if you believe Todd McKinnon, cloud-based identity management. McKinnon can boast serious cloud cred after serving as senior vice president of engineering at Salesforce.com from 2003 to 2009. Now he's CEO of Okta, a cloud startup launched in 2011 and backed by Andreessen Horowitz. Okta seeks to simplify identity management for customers by maintaining integrations with thousands of applications, as well as enabling more efficient management of the rights, permissions, and profiles of users.

IDG Communications chief content officer John Gallant and I first sat down to interview McKinnon in September. As it turned out, Okta was on the cusp of a major update, so InfoWorld executive editor Doug Dineley and I circled back with McKinnon for another session. The following conversation is a combined, edited version of the two.

InfoWorld: Does Okta mean anything?

McKinnon: Okta is a meteorological scale that tells you how much cloud cover there is. I think right now we're at about a six okta, seven okta. Pilots use it to report on weather conditions.

InfoWorld: What prompted you to start Okta?

McKinnon: The mission of Okta is to help companies build better IT. There are a lot of very important changes going on that I'm sure your readers are familiar with. There's the reinvention of everything in the IT stack as a cloud service. There's a lot of great innovation in the cloud, everything from IaaS, which is more of an emerging area, to the application layer, which is probably what most people are consuming now. As companies think about consuming that, it's a big opportunity, but it's also a little bit murky how they do that.

The second big trend -- and this is not a news flash for anyone -- is mobile. Every company is trying to figure out how they can drive business value, beat their competition, and serve their customers better with mobile. You have CSOs, CFOs, CEOs asking, "What do we do about mobile?" Companies are under a lot of pressure to deliver mobile value.

The third big thing going on is less talked-about than the first two: Companies are at the point where they're really starting to more comprehensively connect with their customers, their partners, their suppliers, and their value chain. You remember the big B-to-B hype. The promise of that, where you have an integrated supply chain, where you could have much less friction and much higher margins, is really starting to happen.

One customer of Okta is a pipe company in Tulsa, Okla. When a pipe company in Tulsa, Okla., is embracing cloud apps and mobile to more effectively connect with their customers, employees, suppliers, and partners, it's finally happening. You see that happening across the spectrum.

So what we're really about is these three big trends: cloud, mobile, and connecting B-to-B or B-to-C.

InfoWorld: Why do those trends demand a new identity management solution?

They put a big point of pressure on identity technology. We're here to provide that. We're here to solve that problem for them. Companies have so many more applications now. We go to these companies and ask them: How many applications do you have? They say they have 40. We get in there and once they use our technology to hook them up to Okta, we find out they have 100.

That's because for a long time the natural limiter on how many applications a company could have wasn't the budget -- it was how many they could deploy. The IT program management office was your constraint. The program manager decided how many they could roll out. Now it's much different. The cloud and mobile vendors can go right to the end-users, and they get 100 applications before they know it.

InfoWorld: So how do you do it? How do you solve this problem differently than in the past?

McKinnon: We built a system that is integrated to everything. Our identity service is a cloud service itself.

When you deploy these legacy technologies like LDAP or Active Directory or Oracle Identity Management, these things had integrations and connectors to all these services. They were fine the day you got them installed. But as all these services would be upgraded and your enterprise would evolve over time, they'd be out of date. It became a huge pain to keep integrated.

When it was all in your data center, you could take shortcuts -- maybe what we'll do is just use network security and that will be good enough. But now you're in this world where it's not in the data center anymore. It's federated. You're consuming things from all over. We built Okta as a cloud service and we manage it centrally so that we can keep it up to date. We know when there's a new version of this stuff. We know when there's a new version of Salesforce. We know when there's a new version of Concur. If something does break, we fix it quickly. We don't leave it to our customers to fix it themselves.

We have more than 500 enterprise customers. In our catalog of applications we have over 3,000 that come pre-integrated with Okta out of the box.

InfoWorld: To be clear, you're still talking about managing identity for cloud applications, not trying to wrap that around legacy applications as well, or are you going both ways?

McKinnon: We're really excited to announce we're connecting to on-premise as well with our Okta Application Network. Before it was marginally cloud applications, with the exception that we connected very deeply with LDAP and Active Directory. Now we're announcing we can also connect to on-premise applications to really bring that half of the environment inside the data center into the Okta ecosystem. It's a huge step forward.

InfoWorld: In that case, don't you have a lot of development work in front of you, building connectors to the locally installed stuff?

McKinnon: Well, the second big announcement is around how these applications integrations get added to our network. Up until now we have built and maintained all of these applications integrations, all 3,000 of them. But there are a lot more than 3,000 applications in the world. Just last week I was visiting a customer, a big group of about 100 auto insurance dealers across the country. These guys have 35 applications that are very specific to the automotive distribution industry. If you add up all those kinds of applications in different vertical industries, you come up with not 3,000, but 30,000 or 300,000.

So we're very excited to announce a customer- and community-driven application connector platform. Now this auto distributor in North Carolina that owns 100 auto dealerships can build their own integration to those vertical applications and not only use those themselves to integrate in their Okta deployment, but also share them with all the other customers in our network. Every customer that does this makes our network stronger, and subsequent customers benefit from this community-created and community-maintained network of connections.

We built our service in the cloud, so these things are centrally managed and maintained. It used to be just by us, but now it's by our whole community. Our 500 enterprise customers and a bunch of systems integrators that are working with us can create and maintain those connectors and future-proof our whole ecosystem.

InfoWorld: This is basically a community site where people can publish new connectors to different applications?

McKinnon: Exactly. The benefit to the customer is that over time, every application they want to integrate to will be there.

InfoWorld: Are you opening up a toolkit to build these?

McKinnon: It's a toolkit, it's an API, it's a set of wizards that let them create those and share those. It's a process where, just like the Apple App Store, we have a review process to make sure they're legitimate. We have a review process and a community process that certifies them. It's the whole nine yards.

InfoWorld: What are the incentives for this community of developers to build a lot of connectors? What are you doing to foster that development?

McKinnon: That's a good question. The first incentive and the first people who are going to use this capability are our customers and our systems integrator partners that need to solve this issue for their users or their company or their customers. That's going to be the incentive: Where there's no integration, they want to build it. We're going to develop ways over time to encourage them to really contribute that stuff back to the community. But we're not announcing that yet. Frankly, the first step is getting the kit out there, so the customers can use it to solve their problems and figuring out how to reward them at a later time.

InfoWorld: In your latest announcement, you also said you were increasing the "depth of your integration." Could you explain what you mean by that?

McKinnon: Right now, you take our application and we can integrate the content of a user profile. We can synchronize and store data from multiple services, and we can replicate that user data, that user profile data, to different services. It works for some services, but it has a limited set of fields, and in the past it's had limited support.

Now it's truly universal support, so we can support any kind of field and we can map that data to any service. That lets us push that user profile data and integrate it across every application that a customer would want to do that to. That's a big change. We call that really opening up our directory and integrating our user profile data across all the user profile data for the applications in our network.

InfoWorld: What's the real-world benefit?

McKinnon: It enables every application that the company is using to have the user information. So there will be no system that an employee uses, or no system that a customer uses, that doesn't have, say, their phone number in it.

Right now our customers have a really basic problem. The HR system has their address, but none of the other systems do. Neither the benefit system nor the employee Internet nor any of the other systems that need the address have it, so they have to reenter it. That's a pretty simple example, but it pervades many different company use cases, whether it's customer shipping information or all the things about a user that needs to be replicated across multiple systems. We've solved that problem now.

InfoWorld: What about control over what's shared and what isn't? How is that managed?

McKinnon: It's a rule. That's part of what we're releasing. The customer can specify rules that control what gets copied where. The end-user has some control as well, but the main paradigm is that it's a rules-driven engine.

InfoWorld: Let's move onto the competitive landscape. Salesforce recently announced an identity management system. Do you see it as a threat?

McKinnon: The actual announcement was a little over a year ago. It still isn't really out yet. It's always scary when someone big and powerful and with so much presence as Salesforce tries to compete with you. We looked at what it announced, though, and the company did none of the hard stuff. The best example is that, out of the box, it integrated 25 apps. It takes time to build this collection of integrations, and it also takes time to build a community of users like we have now that will contribute to a community-maintained app.

I think Salesforce is great. I mean, I worked there for a long time. I know a lot of people there. It's an amazing company. I just think it has a lot to do. It has a chance to be a company like SAP. It could dominate several big application categories, and I think what you're seeing is it's going to dabble in a lot of different things.

InfoWorld: What about Microsoft? It's coming on pretty strong in the cloud right now, and after all, it's the Active Directory company. Ultimately, isn't it going to rule in this space?

McKinnon: I think it's a more formidable competitor than Salesforce. It had success in the past at building a developer platform, a broad, horizontal developer platform. It obviously knows about identity. It has the most successful identity product ever in Active Directory.

I think the challenge for Microsoft is twofold. The first is the way it built its identity business on the back of a monopoly on collaboration or the Microsoft Exchange business and their monopoly on the client of the network. Those two things are gone. It's trying with Office 365, but in the collaboration market, there's dead serious competition with companies like Google. Then on the client of the network, the monopoly is gone. I mean half of the devices connected to networks now are not Windows. That's going to be a challenge.